Exabeam Integration Guide

Overview

The Exabeam integration allows your NINA workflows to seamlessly connect with Exabeam's Security Operations Platform for comprehensive threat detection, investigation, and response capabilities. This integration enables you to manage security alerts, investigation cases, asset intelligence, and perform advanced event searches directly from your workflows, providing a unified approach to security operations.

Status

We currently support comprehensive operations across Exabeam resources:

• Alert Management: Search, retrieve, and update security alerts from Exabeam Threat Center
• Case Management: Create cases from alerts, manage investigation lifecycle, and collaborate with notes
• Asset Intelligence: Access notable assets with risk scoring and detailed asset information
• Advanced Search: Perform complex event searches using Exabeam Query Language
• Health Monitoring: Monitor Exabeam platform health and service availability status

Some of the main capabilities include:

• Unified Threat Center Operations: Centralized management of alerts and investigation cases
• Alert-to-Case Workflow: Convert alerts to cases for structured investigation
• Risk-Based Prioritization: Leverage Exabeam's risk scoring for asset and alert prioritization
• Advanced Event Analytics: Query security events with flexible filtering and aggregation
• Case Collaboration: Track investigation progress with notes and stage management
• Asset Monitoring: Identify and investigate notable assets based on behavioral analytics

Credential Configuration

Before using the Exabeam integration in your workflows, you need to configure credentials for authentication. The NINA platform supports two authentication methods for Exabeam:

Authentication Methods

1. API Token (Recommended)

For direct API access using Cluster Authentication Token:

Field	Description	Example
Base URL	Exabeam API base URL	https://api.us-west.exabeam.cloud
API Token	Cluster Authentication Token	eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
Region	Exabeam cloud region (optional)	us-west

How to get your API Token:

1. Log in to your Exabeam Security Operations Platform
2. Navigate to Settings > Admin Operations
3. Select Cluster Authentication Token
4. Click Generate Token or copy existing token
5. Store the token securely - it provides full API access

Available Regions:

• us-west - US West (default)
• us-east - US East
• eu - Europe
• sg - Singapore
• jp - Japan
• au - Australia
• ca - Canada
• ch - Switzerland
• sa - South Africa
• uk - United Kingdom

2. OAuth2 Client Credentials

For OAuth2 authentication with cloud deployments:

Field	Description	Example
Base URL	Exabeam API base URL	https://api.us-west.exabeam.cloud
Client ID	OAuth2 Client ID (API Key)	client-123456789
Client Secret	OAuth2 Client Secret (API Key Secret)	secret-abcdef123456
Region	Exabeam cloud region (optional)	us-west

How to create OAuth2 credentials:

1. Log in to your Exabeam Security Operations Platform
2. Navigate to Settings > Admin Operations
3. Select API Keys
4. Click Create API Key
5. Provide a name (e.g., "NINA Integration")
6. Select appropriate permissions
7. Copy the Client ID and Client Secret

Creating an Exabeam Credential in NINA

1. Navigate to the Credentials section in NINA

2. Click Add New Credential

3. Fill in the credential details:

   • Name: A descriptive name (e.g., "Exabeam Production")
   • Description: Optional details about the credential's purpose
   • Integration Service: Select "Exabeam"
   • Auth Type: Choose "API Token (Recommended)" or "OAuth2 Client Credentials"
   • Base URL: Enter your Exabeam API endpoint
   • Fill in the authentication fields based on your selected auth type

4. Click Test Connection to verify credentials

5. Click Save to store the credential

Exabeam API Base URLs

Exabeam has different base URLs depending on your cloud region:

Region	Base URL
US West (default)	https://api.us-west.exabeam.cloud
US East	https://api.us-east.exabeam.cloud
Europe	https://api.eu.exabeam.cloud
Singapore	https://api.sg.exabeam.cloud
Japan	https://api.jp.exabeam.cloud
Australia	https://api.au.exabeam.cloud
Canada	https://api.ca.exabeam.cloud
Switzerland	https://api.ch.exabeam.cloud
South Africa	https://api.sa.exabeam.cloud
United Kingdom	https://api.uk.exabeam.cloud
On-Premise	https://your-exabeam-server.company.com

For on-premise deployments, use your organization's Exabeam server URL.

Supported Resources and Operations

The Exabeam integration supports the following resources and operations:

Alert

Operation	Description
Search Alerts	Search for alerts matching specified criteria with filtering and time range
Get Alert	Retrieve details of a specific alert by ID
Update Alert	Update alert details such as name, description, priority, or tags

Case

Operation	Description
Search Cases	Search for cases matching specified criteria with filtering
Get Case	Retrieve details of a specific case by ID
Create Case	Create a new investigation case from an alert
Update Case	Update case details or change case stage (NEW, INVESTIGATION, CLOSED)
Add Note to Case	Add an investigative note to a case for collaboration
List Case Notes	Retrieve all notes for a case

Asset

Operation	Description
Get Notable Assets	List notable assets with high risk scores based on behavioral analytics
Get Asset Info	Retrieve detailed asset information and risk score by ID
Get Asset Data	Retrieve basic asset data by name

Advanced Search

Operation	Description
Search Events	Search for security events using advanced filters and Exabeam Query Language

Health

Operation	Description
Get Application Health Status	Retrieve health status and uptime metrics for Exabeam applications and services across date ranges

Parameter Merging and Templating

The Exabeam integration takes full advantage of NINA's parameter merging and templating capabilities:

Parameter Sources (in order of precedence)

1. Node Parameters: Parameters configured directly in the Exabeam Integration Node
2. Extracted Parameters: Parameters automatically extracted from the input data
3. Input Data: The complete input data from upstream nodes

When an Exabeam Integration Node executes:

• It combines parameters from all sources
• Node parameters take precedence over extracted parameters
• Template variables within parameters are processed (using {{variable_name}} syntax)
• The combined parameters are used to execute the Exabeam operation

Example: Managing Security Alerts

Searching for Security Alerts

Below is an example of searching for security alerts with filtering:

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "alert",
  "operation": "search",
  "parameters": {
    "filter": "caseId:null AND priority:HIGH",
    "startTime": "2024-01-01T00:00:00Z",
    "endTime": "2024-01-31T23:59:59Z",
    "limit": 100,
    "orderBy": "riskScore DESC"
  }
}

This searches for uncased high-priority alerts in January 2024, ordered by risk score.

Getting Specific Alert Details

Retrieve detailed information about a specific alert:

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "alert",
  "operation": "get",
  "parameters": {
    "alertId": "12345678-1234-5678-9abc-123456789def"
  }
}

Updating Alert Status with Template Variables

You can use template variables to dynamically update alerts based on input data:

Input Data from Previous Node:

{
  "alert_id": "12345678-1234-5678-9abc-123456789def",
  "investigation": {
    "priority": "CRITICAL",
    "title": "Suspicious lateral movement detected",
    "summary": "Multiple failed authentication attempts followed by successful access to sensitive systems",
    "tags": ["lateral-movement", "privilege-escalation", "investigation"]
  }
}

Node Configuration with Template Variables:

{
  "integration_service": "exabeam",
  "resource": "alert",
  "operation": "update",
  "parameters": {
    "alertId": "{{alert_id}}",
    "alertName": "{{investigation.title}}",
    "alertDescription": "{{investigation.summary}}",
    "priority": "{{investigation.priority}}",
    "tags": "{{investigation.tags}}"
  }
}

Example: Case Management and Investigation

Creating a Case from an Alert

Convert an alert into an investigation case:

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "case",
  "operation": "create",
  "parameters": {
    "alertId": "12345678-1234-5678-9abc-123456789def",
    "alertName": "Lateral Movement Investigation",
    "alertDescription": "Investigating suspected lateral movement activity from compromised workstation",
    "priority": "HIGH",
    "stage": "NEW",
    "assignee": "[email protected]",
    "queue": "Tier-2 Analysis",
    "tags": ["lateral-movement", "active-investigation"]
  }
}

Creating a Case with Template Variables

Dynamic case creation based on alert triage:

Input Data from Alert Triage:

{
  "alert": {
    "id": "12345678-1234-5678-9abc-123456789def",
    "title": "Data Exfiltration Attempt",
    "risk_score": 95
  },
  "triage": {
    "verdict": "true_positive",
    "severity": "CRITICAL",
    "analyst": "[email protected]",
    "investigation_queue": "Incident Response",
    "threat_indicators": ["large data transfer", "unusual destination", "after hours"]
  }
}

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "case",
  "operation": "create",
  "parameters": {
    "alertId": "{{alert.id}}",
    "alertName": "URGENT: {{alert.title}} (Risk: {{alert.risk_score}})",
    "alertDescription": "Threat Indicators: {{join triage.threat_indicators ', '}}. Requires immediate investigation.",
    "priority": "{{triage.severity}}",
    "stage": "INVESTIGATION",
    "assignee": "{{triage.analyst}}",
    "queue": "{{triage.investigation_queue}}",
    "tags": ["{{triage.verdict}}", "high-risk", "data-exfiltration"]
  }
}

Updating Case Status and Stage

Progress a case through investigation stages:

Input Data:

{
  "case_id": "case-98765432-1234-5678-9abc-123456789def",
  "investigation_complete": true,
  "findings": {
    "verdict": "confirmed malicious activity",
    "impact": "contained - no data loss",
    "remediation": "host isolated and credentials reset"
  }
}

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "case",
  "operation": "update",
  "parameters": {
    "caseId": "{{case_id}}",
    "stage": "CLOSED",
    "closedReason": "Already Mitigated or Resolved",
    "supportingReason": "{{findings.verdict}}. {{findings.impact}}. Actions taken: {{findings.remediation}}",
    "priority": "MEDIUM"
  }
}

Case Stage Options:

• NEW - Newly created case
• INVESTIGATION - Active investigation in progress
• CLOSED - Investigation completed and case closed

Closed Reason Options (required when stage is CLOSED):

• Already Mitigated or Resolved
• False Positive or Duplicate
• Low Risk
• Rule Misconfiguration
• Policy or Setup Issue
• Other

Adding Investigation Notes

Collaborate on cases by adding notes:

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "case",
  "operation": "addNote",
  "parameters": {
    "caseId": "case-98765432-1234-5678-9abc-123456789def",
    "note": "Analysis Update: Reviewed network traffic logs. Confirmed outbound connection to known C2 infrastructure. Host has been isolated and forensic image captured for further analysis."
  }
}

With Template Variables:

{
  "integration_service": "exabeam",
  "resource": "case",
  "operation": "addNote",
  "parameters": {
    "caseId": "{{case_id}}",
    "note": "**{{analysis.timestamp}}**: {{analysis.findings}}\n\nEvidence: {{analysis.evidence_path}}\nAnalyst: {{analysis.analyst_name}}"
  }
}

Retrieving Case Notes

Get all investigation notes for a case:

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "case",
  "operation": "listNotes",
  "parameters": {
    "caseId": "case-98765432-1234-5678-9abc-123456789def"
  }
}

Example: Asset Intelligence and Risk Monitoring

Getting Notable Assets

Retrieve assets with high risk scores for proactive monitoring:

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "asset",
  "operation": "getNotable",
  "parameters": {
    "timePeriod": "7 days",
    "limit": 50
  }
}

Time Period Options:

• 1 day, 7 days, 30 days (days)
• 1 hour, 24 hours (hours)
• 1 month, 3 months (months)

Getting Detailed Asset Information

Retrieve comprehensive asset details including risk score:

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "asset",
  "operation": "get",
  "parameters": {
    "assetId": "WORKSTATION-001",
    "maxUsers": 50
  }
}

Getting Asset Data by Name

Retrieve basic asset data:

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "asset",
  "operation": "getData",
  "parameters": {
    "assetName": "WORKSTATION-001"
  }
}

Dynamic Asset Investigation

Investigate assets flagged in alerts:

Input Data from Alert:

{
  "alert": {
    "id": "alert-123",
    "affected_assets": ["WORKSTATION-001", "SERVER-DB-05"],
    "risk_threshold": 75
  }
}

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "asset",
  "operation": "get",
  "parameters": {
    "assetId": "{{alert.affected_assets[0]}}",
    "maxUsers": 100
  }
}

Example: Advanced Event Search

Searching Security Events

Perform advanced event searches using Exabeam Query Language:

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "search",
  "operation": "events",
  "parameters": {
    "query": "product:\"Audit Log\" AND user:\"admin*\"",
    "startTime": "2024-01-01T00:00:00Z",
    "endTime": "2024-01-31T23:59:59Z",
    "fields": ["timestamp", "user", "action", "source_ip", "destination"],
    "limit": 1000,
    "orderBy": ["timestamp DESC"],
    "distinct": false
  }
}

Event Search with Aggregation

Search with grouping and aggregation:

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "search",
  "operation": "events",
  "parameters": {
    "query": "event_type:\"login_failed\"",
    "startTime": "2024-01-01T00:00:00Z",
    "endTime": "2024-01-31T23:59:59Z",
    "fields": ["user", "source_ip", "timestamp"],
    "groupBy": ["user", "source_ip"],
    "orderBy": ["count DESC"],
    "limit": 100
  }
}

Dynamic Event Search

Search based on alert context:

Input Data from Alert:

{
  "alert": {
    "user": "jdoe",
    "source_ip": "192.168.1.100",
    "timeframe": {
      "start": "2024-01-15T08:00:00Z",
      "end": "2024-01-15T18:00:00Z"
    }
  }
}

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "search",
  "operation": "events",
  "parameters": {
    "query": "user:\"{{alert.user}}\" AND source_ip:\"{{alert.source_ip}}\"",
    "startTime": "{{alert.timeframe.start}}",
    "endTime": "{{alert.timeframe.end}}",
    "fields": ["*"],
    "limit": 500,
    "orderBy": ["timestamp ASC"]
  }
}

Example: Health and Service Monitoring

Checking Service Health Status

Monitor overall Exabeam platform health and service availability:

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "health",
  "operation": "appStatus",
  "parameters": {}
}

This retrieves health data for the default period (current date minus 30 days to current date).

Response Structure:

{
  "items": [
    {
      "applicationName": "APIs",
      "uptime": 0.99,
      "majorOutageInSeconds": 3600,
      "partialOutageInSeconds": 7200,
      "date": "2026-02-17T00:00:00Z"
    },
    {
      "applicationName": "Cloud Collectors",
      "uptime": 1.0,
      "majorOutageInSeconds": 0,
      "partialOutageInSeconds": 0,
      "date": "2026-02-17T00:00:00Z"
    }
  ]
}

Getting Health Status for Specific Date Range

Retrieve health metrics for a specific time period:

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "health",
  "operation": "appStatus",
  "parameters": {
    "startDate": "2026-02-01",
    "endDate": "2026-02-17"
  }
}

Important: Date parameters must be in YYYY-MM-DD format (not full ISO-8601 datetime).

• 2026-02-17 ✓ Correct
• 2026-02-17T14:30:00Z ✗ Incorrect (will return 400 error)

Dynamic Health Monitoring with Template Variables

Check health status for a specific date range using template variables:

Input Data:

{
  "monitoring": {
    "start_date": "2026-02-10",
    "end_date": "2026-02-17"
  }
}

Node Configuration:

{
  "integration_service": "exabeam",
  "resource": "health",
  "operation": "appStatus",
  "parameters": {
    "startDate": "{{monitoring.start_date}}",
    "endDate": "{{monitoring.end_date}}"
  }
}

Health Monitoring Workflow Pattern

Typical workflow for continuous service health monitoring:

Schedule Node (daily) → Exabeam Health Node → Script Node (analyze uptime) → Alert Node (if downtime > threshold) → Slack Node (notification)

Use this pattern to:

• Monitor SLA compliance
• Track platform availability trends
• Detect recurring outages
• Alert on major service degradation
• Generate health reports

Integration in Workflow Context

The Exabeam integration is particularly powerful when combined with other nodes in a workflow:

Common Workflow Patterns:

1. Alert Triage and Case Creation:

   • Schedule Node (periodic check) → Exabeam Integration Node (search alerts) → Script Node (triage logic) → Exabeam Integration Node (create case) → Slack Node (notification)

2. Automated Investigation:

   • Webhook Node (alert received) → Exabeam Integration Node (get alert details) → Exabeam Integration Node (search events) → Script Node (analyze) → Exabeam Integration Node (add case note) → Report Node

3. Asset Risk Monitoring:

   • Schedule Node (daily) → Exabeam Integration Node (get notable assets) → Script Node (filter high risk) → Jira Node (create tickets) → Email Node (summary report)

4. Threat Hunting:

   • Input Node (IOC list) → Script Node (prepare queries) → Exabeam Integration Node (search events) → Script Node (correlation) → Exabeam Integration Node (create alert) → Report Node

5. Case Status Tracking:

   • Schedule Node (hourly) → Exabeam Integration Node (search cases) → Script Node (SLA check) → Exabeam Integration Node (update case) → Microsoft Teams Node (escalation)

6. Alert-to-SIEM Enrichment:

   • Exabeam Integration Node (get alert) → Exabeam Integration Node (get asset info) → Script Node (enrich data) → CrowdStrike Integration Node (create IOC) → Slack Node (notification)

Working with Time Ranges and Filters

Time Range Best Practices

Exabeam requires ISO-8601 formatted timestamps for time ranges:

Format: YYYY-MM-DDTHH:mm:ssZ

Examples:

• 2024-01-01T00:00:00Z - Start of January 1st, 2024 (UTC)
• 2024-01-31T23:59:59Z - End of January 31st, 2024 (UTC)

Dynamic Time Ranges with Template Variables:

{
  "parameters": {
    "startTime": "{{time.start}}",
    "endTime": "{{time.end}}"
  }
}

Filter Expressions

Exabeam uses query syntax for filtering:

Basic Filters:

• caseId:null - Alerts not yet associated with a case
• priority:HIGH - High priority items
• stage:"CLOSED" - Closed cases (note the quotes for multi-word values)

Combined Filters:

• caseId:null AND priority:HIGH - Uncased high-priority alerts
• NOT stage:"CLOSED" - All cases except closed ones
• priority:HIGH OR priority:CRITICAL - High or critical priority

Common Filter Fields:

• Alerts: caseId, priority, riskScore, alertName, tags
• Cases: stage, priority, assignee, queue, tags, caseNumber
• Events: product, user, source_ip, event_type, action

Alert and Case Priority Levels

Priority Options

• CRITICAL - Highest priority, immediate action required
• HIGH - High priority, prompt attention needed
• MEDIUM - Medium priority, standard investigation
• LOW - Low priority, informational or minimal risk

These values are case-sensitive and should be used exactly as shown.

Troubleshooting

Issue	Resolution
Authentication failures	Verify your API token or OAuth2 credentials are correct. For API token auth, ensure you're using the Cluster Authentication Token from Admin Operations. For OAuth2, verify both client ID and secret are accurate.
"Unauthorized" or 401 errors	Check that your API token has not expired and has the necessary permissions. Regenerate the token if needed from the Exabeam console.
Invalid time range errors	Ensure timestamps are in ISO-8601 format (YYYY-MM-DDTHH:mm:ssZ). Start time must be before end time.
"Alert not found" errors	Verify the alert ID is correct and the alert exists. UUIDs are case-sensitive.
"Case not found" errors	Verify the case ID is correct. Cases may have been deleted or you may not have permission to access them.
Filter syntax errors	Check filter syntax - use colons for field matching (field:value), AND/OR for combinations, and quotes for multi-word values.
Rate limiting	Exabeam has API rate limits. If you encounter rate limiting, implement delays between requests or reduce request frequency.
Region mismatch	Ensure your base URL matches your Exabeam region. Using the wrong region endpoint will result in connection errors.
OAuth token expiration	The integration automatically handles token refresh. If issues persist, recreate your OAuth2 credentials.
"Closed reason required" error	When updating a case stage to CLOSED, you must provide closedReason parameter.
Advanced Analytics API errors	The notable assets and asset info endpoints use the Advanced Analytics API (/uba/api/). These may require specific licensing or on-premise deployment.
Empty search results	Verify your time range includes the period when data was generated. Exabeam retains data based on your retention policy.

Best Practices

1. Use API Token Authentication: API token authentication is simpler and more reliable than OAuth2 for most use cases. Use the Cluster Authentication Token for production workflows.

2. Set Appropriate Time Ranges: Be specific with time ranges to improve search performance. Avoid unnecessarily wide date ranges that return excessive results.

3. Leverage Risk Scores: Use Exabeam's risk scoring to prioritize alerts and assets. Focus on items with risk scores above your organization's threshold.

4. Implement Alert-to-Case Workflows: Automate the conversion of high-priority alerts to cases to ensure structured investigation and tracking.

5. Use Case Notes for Collaboration: Add detailed notes to cases to maintain investigation context and facilitate team collaboration.

6. Tag Consistently: Apply consistent tags to alerts and cases to improve searchability and reporting. Establish a tagging taxonomy for your team.

7. Monitor Notable Assets: Regularly query notable assets to identify potential compromised systems before major incidents occur.

8. Close Cases with Context: When closing cases, always provide detailed closed reasons and supporting information for future reference and metrics.

9. Use Filter Expressions Efficiently: Pre-filter data at the API level using filter expressions rather than retrieving all data and filtering in your workflow.

10. Implement Error Handling: Build robust error handling for API failures, especially for time-sensitive security operations.

11. Leverage Template Variables: Use NINA's template variables to create dynamic, context-aware queries and updates based on upstream data.

12. Respect API Limits: Be mindful of result limits (default 500 for most operations). Use pagination or adjust limit parameters as needed.

13. Use Advanced Search for Correlation: Leverage the event search capability to correlate security events across different data sources and time periods.

14. Maintain Case Lifecycle: Move cases through stages systematically (NEW → INVESTIGATION → CLOSED) to maintain accurate metrics and reporting.

15. Document Integration Points: Keep documentation of your Exabeam integration workflows for troubleshooting and knowledge transfer.

16. Monitor Integration Health: Regularly test your Exabeam integration credentials and monitor for authentication or connectivity issues.

17. Use Distinct for Aggregations: When performing event searches with groupBy, consider using the distinct parameter to get unique results.

18. Validate Asset Identifiers: Asset IDs can be hostnames or IP addresses. Ensure you're using the correct identifier format for your environment.

19. Consider Time Zones: Exabeam uses UTC timestamps. Convert local times to UTC when constructing time ranges to avoid confusion.

20. Review Generated JQL: When using advanced search, review the Exabeam Query Language syntax to optimize your searches and understand result sets.

Updated: 2026-02-19